Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Conficker worm targets legitimate travel site

The website for a major commercial airline, along with a number of other legitimate sites, could face downtime due to the Conficker worm, a researcher said Monday.

Some 10 million computers worldwide have been infected by Conficker (a.k.a Downadup) and joined into a botnet. Each zombie machine is programmed to check in with approximately 250 URLs each day for more instructions, although there have yet to be any.

A few of these domains -- including a site that redirects to the official website of Southwest Airlines -- actually are legitimate web destinations, researcher Mike Wood wrote in a post on the SophosLabs blog. That means that certain URLs could be overwhelmed by queries. In the case of Southwest, the compromised machines were set to contact the site on March 13.

Sophos has contacted the owners of the legitimate domains, and as of Monday the Southwest Airlines site was unavailable. A request for comment to Southwest was not returned on Monday.

Microsoft is leading a coalition to disarm the pernicious worm, using reverse-engineered code that enables researchers to register the generated domain names before the bot herders can.

But legitimate domains that correspond to the call-home lists Conficker generates have two major problems,
Wood said.

“First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services," he said. "Second, those millions of Conficker-infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.”

Unless the worm is defeated, its menace could continue for a long time, Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com.

“Conficker will continue to carry on and create domain names in its effort to find instructions on what to do next,” he said. “Right now it's running like a robot with no instructions – it's waiting for new commands. It's desperate for them, but none have been given to it yet.”

The worm generates a target list by looking at the current date and time and running a "deterministic domain generation" algorithm that works out a random name. The zombie machines look for instructions each day and even if there are no instructions on a given site, it still gets heavy traffic -- relatively few sites can handles 10 millions hits per day.

“In the old days, worms would only query a single site for instructions,” Cluley said. “That makes it easy for the authorities to shut down the site. With Conficker, there is a new list of names every day.”

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.